Hosting a DNS Server for the NTP Pool Project

If you’re reading this I’m guessing you already know what NTP (Network Time Protocol) is, but as a quick refresher, it’s a simple network protocol to sync time of a device to a reference clock.

I’ve been a huge fan of the NTP Pool Project offering anyone including network operators, end users, and even device manufacturers the ability to leverage a globally distributed and highly resilient NTP time source.

In the past, I’d hosted NTP servers, but in the days of un-patched NTP servers being used for NTP amplification attacks my ISP and I grew tired of constantly chasing down issues and I stopped actively hosting NTP servers as part of the NTP Pool.

I’d always known that the basic way the NTP Pool operated was that you’d point your device at one of their regional NTP references (i.e. 0.pool.ntp.org or a geographically specific entry like 0.north-america.pool.ntp.org) at which point a DNS lookup would be done and an IP address of one of the NTP Pool member servers is returned.

At a small scale, you’d just need a few DNS servers and all would be well, but the NTP Pool processes millions of clients that all issue many DNS queries to find the appropriate name server to sync with. This much DNS traffic requires A LOT of DNS server capacity and that’s where another type of volunteer comes in.

After reading this page I realized I could easily offer up a virtual machine and provide some extra DNS capacity for the greater good. I installed a basic Ubuntu virtual machine, added some firewall rules, and the friendly guys at the NTP Pool Project installed their custom DNS server software and started sending queries my way. They said to expect 3-5 Mbps of DNS traffic on average with occasional spikes above that. DNS queries and responses are very small transactions so 3-5 Mbps of traffic is a TON of DNS traffic and a lot of connections through my internet firewall.

Take a look at the number of connections through my internet firewall before and after I started hosting NTP Pool DNS.

I would highly encourage anyone with the resources to either host an NTP server or an NTP DNS server.

Go forth and sync your devices to a reliable time source. Your log files and sysadmins will thank you.

MacOS No Longer Allowing You to SSH to Older Devices?

If you are you seeing error messages like

Unable to negotiate with "xxx" port "xxx": no matching cipher found. Their offer: aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes192-cbc, aes256-cbc, rijndael-cbc @ serve<em>r

You can either upgrade the SSH server to support these newer, more secure, algorithms or you can enable these older ciphers on your Mac by performing the following:

sudo nano /etc/ssh/ssh_config

Find the section beginning with and remove the leading # to uncomment these disabled ciphers

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

Another option is to edit the per user ssh configuration file like this

nano ~/.ssh/config

Host *
SendEnv LANG LC_*
Ciphers +aes256-cbc

Quickly compare files over SSH using diff

I maintain several Linux servers that provide DNS, web, system monitoring, syslog, and config file archival. These servers have been loyal workhorses that seldom need much care and feeding other than periodic software updates. Over the past several years my confidence and experience with Linux has grown and I’ve attempted to make notes of useful commands that I don’t use very often.

I came across one of these useful commands today and decided to make a simple blog entry if for no other reason than to help remind myself of the syntax.

Nearly every Linux system has the “diff” application available. This application points out the differences (hence the name “diff”) between the input files. I’ve used this command many times to compare files on the same server, but today I wanted to compare two files that were located on different servers. To accomplish this remote file diff operation you can simply use the ssh command and pipe the results to the diff command as follows:

ssh {remote host} cat {remote file patch} | diff {local file path} -

Here’s an example filling in the blanks with actual data:

ssh 10.0.0.2 cat /etc/named.conf | diff /etc/named.conf -

Note the trailing – (hyphen) at the end. That is not a typo.